diff options
Diffstat (limited to 'roles/openshift_aws/tasks')
| -rw-r--r-- | roles/openshift_aws/tasks/build_node_group.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_aws/tasks/iam_role.yml | 36 | ||||
| -rw-r--r-- | roles/openshift_aws/tasks/launch_config_create.yml | 4 | 
3 files changed, 43 insertions, 0 deletions
| diff --git a/roles/openshift_aws/tasks/build_node_group.yml b/roles/openshift_aws/tasks/build_node_group.yml index 852adc7b5..7e8e9b679 100644 --- a/roles/openshift_aws/tasks/build_node_group.yml +++ b/roles/openshift_aws/tasks/build_node_group.yml @@ -27,6 +27,9 @@  - set_fact:      l_epoch_time: "{{ ansible_date_time.epoch }}" +- when: openshift_aws_create_iam_role +  include: iam_role.yml +  - when: openshift_aws_create_launch_config    include: launch_config.yml diff --git a/roles/openshift_aws/tasks/iam_role.yml b/roles/openshift_aws/tasks/iam_role.yml new file mode 100644 index 000000000..d9910d938 --- /dev/null +++ b/roles/openshift_aws/tasks/iam_role.yml @@ -0,0 +1,36 @@ +--- +##### +# Instance profiles consist of two parts. The first part is creating a role +# in which the instance has access and will use this role's permissions +# to make API calls on his behalf.  This role requires a trust policy +# which links a service (ec2) to the role.  This states that this role +# has access to make call ec2 API calls. +# See ../files/trustpolicy.json +# +# Currently openshift-node requires +# access to the AWS API to call describeinstances. +# https://bugzilla.redhat.com/show_bug.cgi?id=1510519 +##### +- name: Create an iam role +  iam_role: +    name: "{{ item.value.iam_role }}" +    assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}" +    state: "{{ openshift_aws_iam_role_state | default('present') }}" +  when: item.value.iam_role is defined +  with_dict: "{{ l_nodes_to_build }}" + +##### +# The second part of this task file is linking the role to a policy +# that specifies which calls the role can make to the ec2 API. +# Currently all that is required is DescribeInstances. +# See ../files/describeinstances.json +##### +- name: create an iam policy +  iam_policy: +    iam_type: role +    iam_name: "{{ item.value.iam_role }}" +    policy_json: "{{ item.value.policy_json }}" +    policy_name: "{{ item.value.policy_name }}" +    state: "{{ openshift_aws_iam_role_state | default('present') }}" +  when: item.value.iam_role is defined +  with_dict: "{{ l_nodes_to_build }}" diff --git a/roles/openshift_aws/tasks/launch_config_create.yml b/roles/openshift_aws/tasks/launch_config_create.yml index 8265c2179..a688496d2 100644 --- a/roles/openshift_aws/tasks/launch_config_create.yml +++ b/roles/openshift_aws/tasks/launch_config_create.yml @@ -15,6 +15,10 @@      image_id: "{{ l_aws_ami_map[launch_config_item.key] | default(openshift_aws_ami) }}"      instance_type: "{{ launch_config_item.value.instance_type }}"      security_groups: "{{ openshift_aws_launch_config_security_group_id  | default(ec2sgs.security_groups | map(attribute='group_id')| list) }}" +    instance_profile_name: "{{ launch_config_item.value.iam_role if launch_config_item.value.iam_role is defined and +                                                                    launch_config_item.value.iam_role != '' and +                                                                    openshift_aws_create_iam_role +                                                                 else omit }}"      user_data: "{{ lookup('template', 'user_data.j2') }}"      key_name: "{{ openshift_aws_ssh_key_name }}"      ebs_optimized: False | 
